Multiple Stored Cross-Site Scripting Vulnerabilities in Optimizely Episerver Content Management System

Title

Multiple Stored Cross-Site Scripting Vulnerabilities

Product

Optimizely Episerver Content Management System (EPiServer.CMS.Core)

Vulnerable Version

Version 11.X: <11.21.4 ; Version 12.X: <12.22.1

Fixed Version

Version 11.X: 11.21.4 ; Version 12.X: 12.22.1

CVE Number

CVE-2025-27800, CVE-2025-27801, CVE-2025-27802

Impact

medium

Homepage

https://www.optimizely.com

Found

25.04.2024

By

Kai Zimmermann (Office Frankfurt), Felix Beie (Office Fürth), SEC Consult Vulnerability Lab

Management Summary

The Episerver Content Management System (CMS) by Optimizely was affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities. This allowed an authenticated attacker to execute malicious JavaScript code in the victim's browser.

Vendor description:

"Optimizely Content Management System equips marketers and developers with a modern, fully composable suite of user-friendly tools. Deliver impactful experiences across any channel, and personalize with AI-driven insights."

Source: https://www.optimizely.com/products/content-management/

Business recommendation:

The vendor already provides a security patch (updated packages) which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.

Vulnerability overview/description:

1) Stored Cross-Site Scripting in Admin Dashboard (CVE-2025-27800) 
The Admin dashboard offered the functionality to add gadgets to the dashboard. This included the "Notes" gadget. An authenticated attacker with the corresponding access rights (such as "WebAdmin") that was impersonating the victim could insert malicious JavaScript code in these notes that would be executed if the victim visited the dashboard.

2) Stored Cross-Site Scripting in Media Selection Preview (CVE-2025-27801) 
ContentReference properties, which could be used in the "Edit" section of the CMS, offered an upload functionality for documents. These documents could later be used as displayed content on the page. It was possible to upload SVG files that include malicious JavaScript code that would be executed if a user visited the direct URL of the preview image. Attackers needed at least the role "WebEditor" in order to exploit this issue.

3) Stored Cross-Site Scripting in Edit Preview (CVE-2025-27802) 
RTE properties (text fields), which could be used in the "Edit" section of the CMS, allowed the input of arbitrary text. It was possible to input malicious JavaScript code in these properties that would be executed if a user visits the previewed page. Attackers needed at least the role "WebEditor" in order to exploit this issue. 
 

Proof of concept:

1) Stored Cross-Site Scripting in Admin Dashboard (CVE-2025-27800) 
After adding a newly created note on the dashboard, it could be edited by sending the following request:

POST /EPiServer/CMS/Notes/Save?preferredNamespace=EPiServer.Cms.Shell.UI.Controllers.Internal&gadgetId=$GADGETID HTTP/2
Host: $SERVER
Cookie: sessionId=[...]; .EPiServerLogin=[...]; .ASPXROLES=[...]; __RequestVerificationToken=[...]
Content-Type: application/x-www-form-urlencoded
Content-Length: 177

content=Test%3cbr%3e%3cimg%20src%3dx%20onerror%3dalert(window.location)%3e&__RequestVerificationToken=[...]

Visiting the dashboard again, as seen in figure 1 below, showed that the JavaScript code was executed:

Figure1: Stored XSS in Admin Dashboard

 

2) Stored Cross-Site Scripting in Media Selection Preview (CVE-2025-27801) 
The following SVG file containing a JavaScript alert could be uploaded as a document in one of the ContentReference properties:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="1" height="1">
    <rect x="1" y="1" width="1" height="1" fill="green" stroke="black" />
    <script type="text/javascript">alert(window.origin);</script>
</svg>

 

Visiting the preview URL, as seen in figure 2 below, showed that the JavaScript alert was executed:

Figure 2: Stored XSS in Media Selection Preview Image

 

3) Stored Cross-Site Scripting in Edit Preview (CVE-2025-27802) 
When adding HTML elements directly in the input field, they were encoded by the frontend. The request, which was sent when editing the text, could be intercepted and modified so that the encoding was reverted. The following request was then sent to add a malicious JavaScript element that caused an alert when the element was rendered:

 

POST /EPiServer/cms/Stores/contentdata/$ID HTTP/2
Host: $SERVER
Cookie: .EPiServerLogin=[...]; 
Content-Length: 194
Content-Type: application/json
[...]

{"id":"$ID","properties":{"address":"\"[...]<script>alert(window.location)</script>[...]""},"action":$ACTIONID}

After publishing the changes, the page preview could be visited by clicking on the respective icon on the top right of the "Edit" section. Before the preview was shown, the JavaScript alert was executed, as can be seen in figure 3 below:

Figure 3: Stored XSS in Edit Preview


Vulnerable / tested versions:

The vendor confirmed that the following plugin versions are affected:

  • Version 11.X: EPiServer.CMS.Core (<11.21.4) with EPiServer.CMS.UI (<11.37.5)
  • Version 12.X: EPiServer.CMS.Core (<12.22.1) with EPiServer.CMS.UI (<11.37.3)

Vendor contact timeline:

2024-05-23 Contacting vendor through securityeng@optimizely.com
2024-05-24 Vendor responds to submit our vulnerabilities at Bugcrowd
2024-05-27 Asking vendor if it is possible via email, no suitable category at Bugcrowd; no response.
2024-06-04 Asking vendor where to submit the advisory for the CMS; Vendor confirms that Bugcrowd should not be used and requested advisory unencrypted via email. Submitted advisory.
2024-06-06 Sending requested information to the vendor; Vendor responds they got everything they need to check the provided advisory.
2024-06-10 Vendor provides details for all vulnerabilities. According to the information, most XSS are present due to intentional design choices; Asking for details regarding affected versions and a planned timeline to fix the vulnerabilities.
2024-06-12 Vendor provides information, that probably all versions are affected by the vulnerabilities, as it is a design choice; Stored XSS in Admin Dashboard and Media Selection Preview were only kept as a backlog/research item; There was no planned ETA for any of the 3 vulnerabilities.
2024-06-18 Contacted vendor, explaining why the vulnerabilities should not be considered as "by design".
2024-06-25 Update from vendor, that the issues were going to be flagged for resolution. The findings were planned to be resolved within 3 months.
2024-09-24 Asked for a status update.
2024-09-24 Vendor contact checked with product team internally.
2024-10-01 Asked for a status update.
2024-10-08 Vendor confirmed first XSS issue fixed in CMS 12. Team was working on remaining two issues, planned to be resolved by mid December.
2024-12-10 Asked for a status update.
2025-01-06 Vendor confirmed that the instances have been remediated and provides affected plugins and versions. Vendor asked to wait with publication until a scheduled retest had been performed later this month.
2025-02-05 Asked for a status update.
2025-02-24 Asked for a status update.
2025-03-07 Reserved CVE numbers, sending updated advisory to vendor, scheduled release for next week; Vendor was reviewing the advisory internally.
2025-03-14 Vendor asked to postpone publication until the end of Q2. Reason given is that some customers were still using CMS major version 11, while the patches were only developed for CMS major version 12.
2025-03-17 Asked vendor to clarify the updating process for customers.
2025-05-21 Asked for a status update.
2025-06-02 Vendor confirmed current timeline (end of Q2). There were different fixes for CMS version 11 and 12.
2025-07-01 Asked for a status update.
2025-07-03 Received fixed packages for CMS 11 and confirmation of packages for CMS 12.
2025-07-28 Coordinated release of advisory.

Solution:

The vendor provided the following updates. These versions of EPiServer.CMS.Core include a configuration to optionally filter for JavaScript code. Customers are urged to install the latest version and adjust the configuration accordingly in order to patch the security issues:

  • Version 11.X: Update EPiServer.CMS.Core to version 11.21.4 or higher
                        Update EPiServer.CMS.UI to version 11.37.5 or higher (dependency requirement)

     

  • Version 12.X: Update EPiServer.CMS.Core to version 12.22.1 or higher
                        Update EPiServer.CMS.UI to version 11.37.3 or higher (dependency requirement)

     

Workaround:

None 
 

Advisory URL

https://sec-consult.com/vulnerability-lab/

 

EOF K. Zimmermann, F. Beie / @2025

 

Interested to work with the experts of SEC Consult? Send us your application.
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices

Back